map.norsecorp.com
If possible I like starting off with a view of a live attack
screen. Very effective means of conveying the
compelling need for cybersecurity. If I’m using my PC I
can set this up easily.
Don Dickinson
Phoenix Contact USA
NC AWWA-WEA Automation Committee
Agenda
 Growing need for cybersecurity
 Protecting critical infrastructure
 Key Standards & Guidance for Cybersecurity
 AWWA G430-14 Security Practices for Operation & Management
 NIST SP 800-82 Guide to Industrial Control System (ICS)
Security
 ISA 62443-2-1 Security for Industrial Automation & Control
Systems (IACS)
 Why a business case is needed
 How to develop a business case
NC AWWA-WEA Automation Committee
Security breaches are inevitable…
Being a headline is not ®
Mandiant – A FireEye™ Company
Tough questions after attack…
Could you have done
more to prevent this
attack?
What is the impact on
public safety?
Will I lose my
job?
How will this impact the
public’s confidence in
your utility?
What is the
environmental impact?
How will this impact your
requests for funding?
What are the expected
costs of fines and
litigation?
Easy to sound like an alarmist…
the Cyber
end is
near
NC AWWA-WEA Automation Committee
JPMorgan Chase
Security Threats
 Nation-State Attacks (by Russia, China, N Korea, many





others including US)
Extortion (Sony)
Data Destruction (Sony, Saudi Aramco)
Bank Card & Personal Data Breaches (US Office of
Personnel Mgmt (22M affected), Anthem Health (80M),
Premera Blue Cross (11M), JP Morgan Chase (76M), Home
Depot (56M), Target (40M), many others)
Third-Party Breaches (Target - HVAC connection, Home
Depot – stolen vendor credentials)
Critical Infrastructure (Telvent, Saudi Aramco, Iranian
Nuclear Facilities, others)
NC AWWA-WEA Automation Committee
Attacks double on SCADA in 2014
source: 2015 Dell Security Annual Threat Report
“Everyone knows the threats are real
and the consequences dire, so we can
no longer blame lack of awareness for
the attacks that succeed.”
Patrick Sweeney, Executive Director Dell Security
NC AWWA-WEA Automation Committee
Why isn’t security a bigger focus?
NBC Los Angeles: NewsChopper4
captures geyser blowing through Sunset
Boulevard, flooding UCLA campus
July 29, 2014
More pressing concerns…
Protecting Critical Infrastructure
Presidential Policy Directive – Critical
Infrastructure Security and Resilience
(PPD-21, February 12, 2013)
• Cyber threat to critical infrastructure continues to grow
• One of the most serious national security challenges for
the US
• Critical infrastructure must be secure and able to
withstand and rapidly recover from all hazards
NC AWWA-WEA Automation Committee
Key Security Standards & Guidance
 ANSI / AWWA G430-14 Security Practices for
Operation and Management
 NIST Special Publication 800-82 rev 2: Guide to
Industrial Control Systems (ICS) Security
 ANSI / ISA-62443-2-1 Security for Industrial
Automation and Control Systems: Establishing an
IACS Security Program
NC AWWA-WEA Automation Committee
ANSI / AWWA G430-14
Security Practices for Operation and Management
Purpose is to define the minimum requirements for
protective security program for a water or wastewater
utility that will promote the protection of employee
safety, public health, public safety, and public
confidence.
NC AWWA-WEA Automation Committee
ANSI / AWWA G430-14
Security Practices for Operation and Management
Requirements: Section 4.0
4.1 Explicit commitment to security
4.1.1 Explicit and visible commitment of senior leadership to
security. The utility shall establish an explicit, visible, easily
communicated, enterprise-wide commitment to security. This
shall be represented by the development of a security plan, by
policies, and by other documents that make security a part of
daily operations visible to employees and customers.
NC AWWA-WEA Automation Committee
NIST SP 800-82 Rev 2
Guide to Industrial Control Systems (ICS) Security
 Purpose is to provide guidance for securing
industrial control systems (ICS), including
supervisory control and data acquisition (SCADA)
systems, distributed control systems (DCS), and
other systems performing control functions.
NC AWWA-WEA Automation Committee
NIST SP 800-82 Rev 2
Guide to Industrial Control Systems (ICS) Security
4.1 Business Case for Security
The first step in implementing an information security
program for ICS is to develop a compelling business
case for the unique needs of the organization. The
business case provides the business impact and
financial justification for creating an integrated
information security program.
NC AWWA-WEA Automation Committee
ISA-62443 Security for Industrial
Automation and Control Systems (IACS)
ANSI/ISA–62443-2-1 (99.02.01) – 2009
Establishing an Industrial Automation and Control
Systems Security Program
 Describes the elements of a Cyber Security
Management System (CSMS)
 Elements relate to policy, procedures, practices and
personnel
NC AWWA-WEA Automation Committee
ISA 62443-2-1
Develop a business rationale
4.2.2
 DESCRIPTION: A business rationale is based on the
nature and magnitude of financial, health, safety,
environmental, and other potential consequences
should IACS cyber events occur.
 RATIONALE: Establishing a business rationale is
essential for an organization to maintain
management buy-in to an appropriate level of
investment for the IACS cybersecurity program.
NC AWWA-WEA Automation Committee
ISA 62443-2-1
Develop a business rationale
4.2.2.1
REQUIREMENTS: Develop a business rationale
 The organization should develop a high-level
business rationale as a basis for its effort to manage
IACS cyber security, which addresses the unique
dependence of the organization on IACS.
NC AWWA-WEA Automation Committee
ISA 62443-2-1
Develop a business rationale
Annex A (informative)
Guidance for developing the elements of a CSMS
 Description of element
 Element-specific information
 Supporting practices
 Baseline practices
 Additional practices
 Resources used
NC AWWA-WEA Automation Committee
ISA 62443-2-1
Develop a business rationale
A.2.2.3
Key components of business rationale
 Prioritize business consequences – What events
would have the greatest impact on the organization?
 Prioritize threats – Which are the most credible?
 Estimated annual business impact – What is the
business impact, if possible, in financial terms?
 Cost – What is the estimated cost of the human
effort and technical countermeasures that the
business rationale intends to justify?
NC AWWA-WEA Automation Committee
Answers for tough questions…
Could you have done
more to prevent this
attack?
Just 2 years till
retirement!
Because we have a comprehensive
security plan we were able to detect the
cyber activity early and implement
countermeasures quickly to mitigate it.
As a result the impact on public safety,
the environment and our operations
were minimized.
Key points on cybersecurity
 Security is a process not a task! Journey not a




destination!
Security is not an absolute! It’s a matter of degree.
Neither practical nor feasible to fully mitigate all risks.
Must allocate available resources as efficiently as
possible.
The responsibility of protecting IACS from cyber events
belongs to the people who operate and maintain these
systems.
Goal: Risk management for critical infrastructure.
NC AWWA-WEA Automation Committee
Easy questions for me?
NC AWWA-WEA Automation Committee
Presenter
Don Dickinson
Senior Business Development Manager – Water Sector
Phoenix Contact USA
Contact information:
e-mail: ddickinson@phoenixcon.com
Phone: 800-888-7388, ext 3868
White Paper:
 Making a Business Case for Cybersecurity
NC AWWA-WEA Automation Committee